CVE-2023-4596: Critical WordPress plugin Forminator flaw affects over 400k sites

CVE-2023-4596

In the vast universe of WordPress plugins, Forminator stands as a beacon of efficiency and functionality. Touted as the Swiss army knife for form creation, it boasts an impressive array of features: from the humble contact form to intricate order forms, PayPal-powered payment gateways, quirky Buzzfeed-inspired quizzes, and more. With over 400,000 installations, Forminator is undeniably a cornerstone of many WordPress sites.

A critical vulnerability has been found in Forminator that could allow unauthenticated attackers to upload arbitrary files to the affected site’s server.

The vulnerability, tracked as CVE-2023-4596, is an arbitrary file upload vulnerability. With an alarming CVSS score of 9.8, this vulnerability deserves every ounce of attention it’s getting. This flaw has put countless sites at potential risk.

CVE-2023-4596

The root of the issue lies in the sequence of the file-uploading process in Forminator. Typically, when a file is uploaded, its type is verified to ensure it’s of a safe and expected format. In Forminator’s case, this validation step unfortunately occurs after the file has already taken residence on the server. It’s akin to letting a stranger into your home and then checking their identification.

This oversight permits unauthenticated attackers – those without any registered status on the site – to upload arbitrary files to a site’s server. Given the right conditions and file types, this could pave the way for remote code execution, allowing the attacker to run commands or scripts on the affected server.

An attacker who exploits the CVE-2023-4596 vulnerability could upload arbitrary files to the affected site’s server. This could include malicious files that could be used to:

  • Execute arbitrary code on the server
  • Steal sensitive data from the server
  • Disrupt the operation of the website

Moreover, with a proof-of-concept already circulating in the wild, the risk is even higher. This means attackers have a blueprint, a how-to guide, on exploiting this vulnerability.

Users of Forminator should update to the latest version of the plugin (1.25 or newer) as soon as possible. If you are unable to update to the latest version, you can disable the Forminator plugin until a fix is available.

In addition to updating the plugin, you can take the following steps to protect your site from this vulnerability:

  • Keep your WordPress installation up to date.
  • Use a security plugin to scan your site for vulnerabilities.
  • Be careful about what files you upload to your site.
  • Only download files from trusted sources.